Stephan Wiefling | Post-Doctoral Researcher (Authentication, Usable Security)

	[firstname] (a) swiefling.de
	@[email protected]
	Stephan Wiefling
	Stephan Wiefling

About

I’m a postdoctoral researcher in the field of Cyber Security. My current research spans areas of Authentication and Usability, and Privacy. Among other things, I am researching how to improve the security of passwords without reducing usability. My work was featured in Schneier on Security, The Daily Swig, t-online.de, GIGA.de, Heise, Golem.de, Kölner Stadtanzeiger, and other media outlets.

Besides that, I already contributed my expertise in Usable Security & Privacy to the industry (e.g., Meta, Telenor). I also work as a Senior Expert DevSecOps at Vodafone.

I also co-wrote the book Programmieren trainieren (Exercise programming) which was released in the Hanser Verlag.

Research Interests

Risk-Based Authentication
Usable Security and Privacy
Cyber Security Education
Mobile Authentication
Usable Passwords
Privacy Dashboards
Developer-Centered Security
Human-Computer-Interaction (HCI)

Awards

Top Talent FY23/24, Accelerated Talent FY24/25
Granted by: Vodafone

Open Data Impact Award 2022
Granted by: Stifterverband für die Deutsche Wissenschaft e.V.

Best ACSAC Video Production 2020
Granted by: Annual Computer Security Applications Conference (ACSAC)

RISE Germany Scholarship 2019, 2020
Granted by: German Academic Exchange Service (DAAD)

Best Graduate of the Year 2018/2019, Master Media Technology
Granted by: TH Köln - University of Applied Sciences

Education

Computer Science (Dr.-Ing.)
Ruhr University Bochum, Horst Görtz Institute for IT Security (2018 - 2023)
Reviewed by Markus Dürmuth, Martina Angela Sasse, and Luigi Lo Iacono
Thesis Defense Slides

Certified Information Systems Security Professional (CISSP)
International Information System Security Certification Consortium (2024)

Media Technology (M. Sc.)
TH Köln - University of Applied Sciences (2015 - 2018)

Media Technology (B. Eng.)
Cologne University of Applied Sciences (2011 - 2015)

Selected Publications

A Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the Web (2024)
Stephan Wiefling, Marian Hönscheid and Luigi Lo Iacono. ARES ’24. ACM.
PDF Bibtex

@inproceedings{article_ares2024_wiefling,
  author = {Wiefling, Stephan and Hönscheid, Marian and {Lo Iacono}, Luigi},
  title  = {A {Privacy Measure Turned Upside Down? Investigating the Use of HTTP Client Hints on the Web}},
  booktitle = {19th {International} {Conference} on {Availability}, {Reliability} and {Security}},
  series = {A{RES} '24},
  location = {Vienna, Austria},
  doi = {10.1145/3664476.3664478},
  publisher = {ACM},
  month = aug,
  year   = {2024},
}

Is It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication (2024)
Andre Büttner, Andreas Thue Pedersen, Stephan Wiefling, Nils Gruschka and Luigi Lo Iacono. UbiSec ’23. Springer.
PDF Website Bibtex

@inproceedings{article_ubisec2023_buettner,
  author = {Büttner, Andre and Pedersen, Andreas Thue and Wiefling, Stephan and Gruschka, Nils and {Lo Iacono}, Luigi},
  title  = {Is {It Really You Who Forgot the Password? When Account Recovery Meets Risk-Based Authentication}},
  booktitle = {Ubi{Sec} '23},
  location = {Exeter, United Kingdom},
  doi = {10.1007/978-981-97-1274-8_26},
  publisher = {Springer},
  month = mar,
  year   = {2024},
}

Risk-Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example (2023)
Vincent Unsel, Stephan Wiefling, Nils Gruschka and Luigi Lo Iacono. CODASPY ’23. ACM.
PDF Bibtex

@inproceedings{article_codaspy2023_unsel,
  title = {Risk-{Based Authentication for OpenStack: A Fully Functional Implementation and Guiding Example}},
  author = {Unsel, Vincent and Wiefling, Stephan and Gruschka, Nils and {Lo Iacono}, Luigi},
  booktitle = {13th {ACM Conference on Data and Application Security and Privacy}},
  year = {2023},
  series = {C{ODASPY} '23},
  location = {Charlotte, NC, USA},
  publisher = {ACM},
  doi = {10.1145/3577923.3583634},
  month = apr,
  year = {2023}
}

Data Protection Officers’ Perspectives on Privacy Challenges in Digital Ecosystems (2023)
Stephan Wiefling, Jan Tolsdorf and Luigi Lo Iacono. SPOSE ’22. Springer.
PDF PDF [Publisher] Bibtex

@inproceedings{article_spose2022_wiefling,
  author = {Wiefling, Stephan and Tolsdorf, Jan and Lo Iacono, Luigi},
  title = {Data {Protection} {Officers}' {Perspectives} on {Privacy} {Challenges} in {Digital} {Ecosystems}},
  booktitle = {4th {Workshop} on {Security}, {Privacy}, {Organizations}, and {Systems} {Engineering}},
  series = {SPOSE '22},
  location = {Copenhagen, Denmark},
  doi = {10.1007/978-3-031-25460-4_13},
  publisher = {Springer},
  year = {2023}
}

Pump Up Password Security! Evaluating and Enhancing Risk-Based Authentication on a Real-World Large-Scale Online Service (2023)
Stephan Wiefling, Paul René Jørgensen, Sigurd Thunem and Luigi Lo Iacono. ACM TOPS. ACM.
PDF Bibtex

@article{article_tops2023_wiefling,
  author = {Wiefling, Stephan and Jørgensen, Paul René and Thunem, Sigurd and {Lo Iacono}, Luigi},
  title  = {Pump {Up} {Password} {Security}! {Evaluating} and {Enhancing} {Risk}-{Based} {Authentication} on a {Real}-{World} {Large}-{Scale} {Online} {Service}},
  journal = { {ACM} {Transactions} on {Privacy} and {Security}},
  doi = {10.1145/3546069},
  publisher = {ACM},
  volume = {26},
  number = {1},
  articleno = {6},
  issn = {2471-2566},
  month = {feb},
  year   = {2023}
}

Privacy Considerations for Risk-Based Authentication Systems (2021)
Stephan Wiefling, Jan Tolsdorf and Luigi Lo Iacono. IWPE ’21. IEEE.
PDF Bibtex

@inproceedings{article_iwpe2021_wiefling,
  author = {Wiefling, Stephan and Tolsdorf, Jan and Lo Iacono, Luigi},
  title = {Privacy {Considerations} for {Risk}-{Based} {Authentication} {Systems}},
  booktitle = {2021 {International} {Workshop} on {Privacy} {Engineering}},
  series = {IWPE '21},
  location = {Vienna, Austria},
  doi = {10.1109/EuroSPW54576.2021.00040},
  pages = {320--327},
  publisher = {IEEE},
  month = sep,
  year = {2021}
}

"I just looked for the solution!" - On Integrating Security-Relevant Information in Non-Security API Documentation to Support Secure Coding Practices (2021)
Peter Leo Gorski, Sebastian Möller, Stephan Wiefling and Luigi Lo Iacono. IEEE TSE. IEEE.
PDF Bibtex

@article{journals_tse2021_gorski,
  author = {Gorski, Peter Leo and Möller, Sebastian and Wiefling, Stephan and Lo Iacono, Luigi},
  journal = {IEEE Transactions on Software Engineering},
  title = {"I just looked for the solution!" - On Integrating Security-Relevant Information in Non-Security API Documentation to Support Secure Coding Practices},
  year = {2021},
  publisher = {IEEE},
  doi = {10.1109/TSE.2021.3094171}
}

Verify It’s You: How Users Perceive Risk-based Authentication (2021)
Stephan Wiefling, Markus Dürmuth and Luigi Lo Iacono. IEEE Security & Privacy. IEEE.
PDF Bibtex

@article{journals_spm2021_wiefling,
  title = {Verify {It}'s {You}: {How} {Users} {Perceive} {Risk}-based {Authentication}},
  journal = {IEEE Security & Privacy},
  author = {Wiefling, Stephan and Dürmuth, Markus and Lo Iacono, Luigi},
  month = nov,
  volume = {19},
  number = {6},
  pages = {47--57},
  year = {2021},
  publisher = {IEEE},
  doi = {10.1109/MSEC.2021.3077954}
}

What’s in Score for Website Users: A Data-Driven Long-Term Study on Risk-Based Authentication Characteristics (2021)
Stephan Wiefling, Markus Dürmuth and Luigi Lo Iacono. FC ’21. Springer.
PDF Bibtex

@inproceedings{article_fc2021_wiefling,
  author = {Wiefling, Stephan and D\"{u}rmuth, Markus and Lo Iacono, Luigi},
  title = {What’s in {Score} for {Website} {Users}: {A} {Data}-{Driven} {Long}-{Term} {Study} on {Risk}-{Based} {Authentication} {Characteristics}},
  booktitle = {25th {International} {Conference} on {Financial} {Cryptography} and {Data} {Security} ({FC} '21)},
  pages = {361--381},
  location = {Grenada},
  month = mar,
  year = {2021}
  publisher = {Springer},
  doi = {10.1007/978-3-662-64331-0_19}
}

More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication (2020)
Stephan Wiefling, Markus Dürmuth and Luigi Lo Iacono. ACSAC ’20. ACM.
PDF Bibtex

@inproceedings{article_acsac2020_wiefling,
  title = {More {Than} {Just} {Good} {Passwords}? A {Study} on {Usability} and {Security} {Perceptions} of {Risk-based} {Authentication}},
  booktitle = {36th {Annual} {Computer} {Security} {Applications} {Conference} ({ACSAC} '20)},
  author = {Wiefling, Stephan and D\"{u}rmuth, Markus and Lo Iacono, Luigi},
  publisher = {ACM},
  location = {Austin, USA},
  month = dec,
  year = {2020},
  doi = {10.1145/3427228.3427243},
  pages = {203--218},
  isbn = {978-1-4503-8858-0/20/12},
}

Evaluation of Risk-based Re-Authentication Methods (2020)
Stephan Wiefling, Tanvi Patil, Markus Dürmuth and Luigi Lo Iacono. IFIP SEC ’20. Springer.
PDF Bibtex

@inproceedings{article_ifipsec2020_wiefling,
  title = { {Evaluation} of {Risk-based} {Re}-{Authentication} {Methods}},
  booktitle = {35th {IFIP} {TC}-11 {International} {Conference} on {Information} {Security} and {Privacy} {Protection} ({IFIP} {SEC} 2020)},
  series = { {IFIP} {Advances} in {Information} and {Communication} {Technology}},
  author = {Wiefling, Stephan and Patil, Tanvi and D\"{u}rmuth, Markus and Lo Iacono, Luigi },
  publisher = {Springer International Publishing},
  location = {Maribor, Slovenia},
  volume = {580},
  pages = {280--294},
  isbn = {978-3-030-58200-5},
  doi = {10.1007/978-3-030-58201-2_19},
  month = sep,
  year = {2020},
}

Even Turing Should Sometimes Not Be Able To Tell: Mimicking Humanoid Usage Behavior for Exploratory Studies of Online Services (2019)
Stephan Wiefling, Nils Gruschka and Luigi Lo Iacono. NordSec ’19. Springer Nature.
PDF Bibtex

@inproceedings{article_nordsec2019_wiefling,
  title = {Even {Turing} {Should} {Sometimes} {Not} {Be} {Able} {To} {Tell}: {Mimicking} {Humanoid} {Usage} {Behavior} for {Exploratory} {Studies} of {Online} {Services}},
  booktitle = {24th {Nordic} {Conference} on {Secure} {IT} {Systems} ({NordSec} 2019)},
  series = { {Lecture} {Notes} in {Computer} {Science}},
  author = {Wiefling, Stephan and Gruschka, Nils and Lo Iacono, Luigi},
  volume = {11875},
  pages = {188--203},
  isbn = {978-3-030-35055-0},
  doi = {10.1007/978-3-030-35055-0_12},
  publisher = {Springer Nature},
  location = {Aalborg, Denmark},
  month = nov,
  year = {2019}
}

Is This Really You? An Empirical Study on Risk-Based Authentication Applied in the Wild (2019)
Stephan Wiefling, Luigi Lo Iacono and Markus Dürmuth. IFIP SEC ’19. Springer.
PDF Bibtex

@inproceedings{article_ifipsec2019_wiefling,
  title = {Is {This} {Really} {You}? {An} {Empirical} {Study} on {Risk}-{Based} {Authentication} {Applied} in the {Wild}},
  booktitle = {34th {IFIP} {TC}-11 {International} {Conference} on {Information} {Security} and {Privacy} {Protection} ({IFIP} {SEC} 2019)},
  series = { {IFIP} {Advances} in {Information} and {Communication} {Technology}},
  author = {Wiefling, Stephan and Lo Iacono, Luigi and D\"{u}rmuth, Markus},
  volume = {562},
  pages = {134--148},
  isbn = {978-3-030-22311-3},
  doi = {10.1007/978-3-030-22312-0_10},
  publisher = {Springer International Publishing},
  location = {Lisbon, Portugal},
  month = jun,
  year = {2019}
}